The Evolution of Global Privacy Law - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

The Evolution of Global Privacy Law

Description:

What is Privacy and Data Security? Privacy is the appropriate use of ... Petco. Tower Records. Barnes & Noble.com. Guess.com, Inc. Enforcement trends. 10 ... – PowerPoint PPT presentation

Number of Views:214
Avg rating:3.0/5.0
Slides: 24
Provided by: dominoRes
Category:

less

Transcript and Presenter's Notes

Title: The Evolution of Global Privacy Law


1
The Evolution of Global Privacy Law

IBM Fall 2006 Security and Privacy Day
  • Lisa J. SottoPartner
  • Hunton Williams LLP(212) 309-1223lsotto_at_hunton
    .com
  • November 13, 2006
  • November 13, 2006

2
What is Privacy and Data Security?
  • Privacy is the appropriate use of information as
    defined by
  • Law
  • Consumer expectations
  • Security is the protection of information
  • Confidentiality (protection against unauthorized
    access to data)
  • Data integrity

3
Four Privacy Risks
  • Legal compliance
  • Reputation
  • Investment
  • Reticence

4
Data Protection LawsAround the World
5
US Privacy Laws
  • Major federal laws are
  • GLB Financial institutions
  • HIPAA Health care entities
  • FCRA/FACTA Consumer reporting agencies
  • FTC Disposal Rule
  • DPPA DMV records
  • CAN-SPAM Commercial e-mail
  • COPPA Childrens data
  • Do-Not-Call Registry Telemarketing
  • FTC Act Section 5 Prohibits unfair or deceptive
    trade practices
  • Privacy Act of 1974

6
California
  • Disclosures to Direct Marketers Law (SB 27)
  • California Online Privacy Protection Act
  • Security of Personal Information (AB 1950)
  • California Computer Security Breach Act (SB 1386)

7
Information Security
  • 2005 was the year of the security breach
  • In 2005/2006, 365 information security breaches
    so far
  • ChoicePoint - DSW
  • Bank of America - CardSystems
  • Lexis Nexis - Boston Globe
  • Over 97 million potentially affected
  • 34 state security breach notification laws
  • Numerous federal bills

8
State Security Breach Notification Laws
  • Generally, the duty to notify arises when
    unencrypted personal information was (or was
    reasonably believed to have been) acquired or
    accessed by an unauthorized person
  • Some states require notification when encrypted
    information has been acquired or accessed along
    with the encryption key
  • Personal information is an individuals name,
    combined with
  • SSN
  • drivers license or state ID card number
  • account, credit or debit card number along with
    password or access code
  • But state laws differ
  • Computerized v. paper data
  • Definition of PI
  • Notification to state agencies
  • CRA notification
  • Harm threshold

9
Recent FTC Enforcement Actions
  • Most FTC privacy enforcement actions result from
    security breaches
  • CardSystems
  • ChoicePoint
  • DSW
  • BJs Wholesale Club
  • Petco
  • Tower Records
  • Barnes Noble.com
  • Guess.com, Inc.
  • Enforcement trends

10
Emerging State Law Issues
  • Social Security Numbers
  • A number of states regulate the private sector
  • Many others are considering similar legislation
  • Child Protection Registry Laws
  • Michigan and Utah currently regulate
  • Other states pending
  • Senders are prohibited from sending adult
    messages to contact points listed on state
    registries
  • FTCs view
  • Employee Email Monitoring
  • Delaware and Connecticut have employee monitoring
    laws in place

11
Emerging State Law Issues (contd.)
  • Website Privacy Notices
  • California, Nebraska and Pennsylvania
  • Radio Frequency Identification (RFID)
  • At least 13 states are considering privacy
    legislation regulating the use of RFID
  • Anti-Spyware
  • 12 states currently have anti-spyware laws
  • At least 17 other states are considering
    anti-spyware legislation

12
The EU Directive
  • Enacted in 1995, each country has its own
    national data protection law the Directive sets
    the floor
  • Requires entities to notify authorities or
    register before processing personal data
  • Prohibits transfer of personal data to non-EU
    jurisdictions unless adequate level of
    protection is guaranteed
  • U.S. is not adequate
  • Data transfer is permitted
  • To adequate countries (e.g., Switzerland,
    Canada)
  • Within the safe harbor framework (from EU to U.S.
    only)
  • Where a contract ensures adequate protection
  • With unambiguous consent of data subject
  • BCRs

13
Recent EU Issues
  • Whistleblower hotlines
  • Data Retention Directive
  • PNR Data
  • SWIFT issue
  • New security breach notification proposals

14
PIPEDA
  • The Personal Information Protection and
    Electronic Documents Act (effective January 1,
    2004)
  • Establishes rules for the management of personal
    information by organizations involved in
    commercial activities
  • Applies to the collection, use and disclosure of
    personal information by organizations during
    commercial activities
  • Personal information is any information about an
    identifiable individual whether recorded or not
  • Requirements
  • Identify purposes of data collection
  • Obtain consent and limit use to identified
    purposes
  • Limit collection to necessary information
  • Limit use, disclosure and retention
  • Individual access

15
Latin America
  • Argentina has an adequate comprehensive law,
    and now an active DPA
  • Several nations have draft data protection laws
  • Other nations codify privacy in consumer
    protection laws
  • Many Latin American nations implement data
    protection concepts through habeas data rights
  • Habeas data rights are found in many national
    constitutions

16
Japan
  • Personal Information Protection Act
  • Enacted in 2003, fully effective April 1, 2005
  • Personal information is any information that
    identifies an individual data subject contained
    in a personal information database (online or
    offline)
  • Applies to each entity using a personal
    information database
  • Third party does not include data processors
    but does include affiliates
  • Civil and criminal penalties for violations
  • Guidelines have been published by various
    Ministries

17
APEC
  • Created an information privacy framework with 9
    privacy principles
  • Preventing harm - Integrity
  • Notice - Security
  • Collection limitation - Access and correction
  • Uses of personal information - Accountability
  • Choice
  • Endorsed by 21 member economies in November 2004
  • Consistent with OECD Guidelines

18
New and Expected Global Privacy Regimes
  • Russia
  • DP law passed July 2006
  • Bears strong resemblance to EU Directive
  • India
  • New data security proposals to amend Indias IT
    Act of 2000
  • The proposals result from recent breaches and
    reports of lax security practices
  • China
  • Law is currently being drafted

19
U.S. Enforcement and Litigation
  • FTCs new Division of Privacy and Identity
    Protection
  • The FTCs enforcement tools are evolving to meet
    new problems
  • CardSystems
  • ChoicePoint
  • DSW
  • BJs Wholesale Club
  • Petco
  • Tower Records
  • Barnes Noble.com
  • Guess.com, Inc.
  • U.S. privacy litigation trends

20
Privacy Issues Are Often Unexpected
  • Information security breaches pose new and
    sometimes acute risks
  • FTC enforcement and litigation
  • Erosion of customer trust
  • Public perception of brand plummets
  • Investor concerns and market reaction
  • Whistleblower hotlines
  • HPs pretexting issues

21
Minimizing the Risk
  • Prevention is the primary goal, but proactive
    planning can minimize impact if a privacy event
    occurs
  • Concern and focus on data privacy and security
    must come from the top
  • Data privacy now often involves the CEO, CFO,
    CPO, CIO and GC
  • Re-evaluate security systems and privacy and
    security policies on an ongoing basis
  • Integrate the concern for information privacy and
    security as a core value and train often

22
The Global Perspective
  • Information security is the global topic du jour
  • Expect new U.S. privacy legislation
  • New level of professionalism of EU DPAs
  • There is significant activity globally to enact
    new data protection laws
  • There will be a focus on data protection
    harmonization in coming years

23
Questions?
  • Lisa J. SottoPartnerHead, Privacy and
    Information Management PracticeHunton Williams
    LLP(212) 309-1223lsotto_at_hunton.com

233317v2
Write a Comment
User Comments (0)
About PowerShow.com